Symantec researchers spotted a new nation-state-backed hacking group named Harvester. According to them, the group uses a combination of novel and publicly available tools for breaching targets.

Harvester is seen attacking IT firms, telecoms, and critical government organizations in South Asia. It’s clever in deploying the payload and conducting surveillance in the target’s machines.

A New Nation-State Backed Hacker

Researchers at Symantec have discovered a new hacking group tied to an unknown origin. All the evidence it left didn’t match any previous hacking group. Yet, observing the pattern and development of custom exploitation tools, researchers concluded the hacking group to belong to some nation-state.

Also Read- New York OAG Ordered Two Crypto-Lending Platforms to Halt Operations

They named it Harvester and used a mixture of publicly available and custom-developed tools as below;

  • Cobalt Strike Beacon – uses CloudFront infrastructure for its C&C activity. This tool is used for injecting processes, executing commands, uploading and downloading files, and impersonation.
  • Metasploit is a modular framework used for various purposes like privilege escalation, screen capture, a persistent backdoor, etc.
  • Backdoor.Graphon – a custom backdoor using Microsoft infrastructure for its C&C activity.
  • Custom Downloader – a Microsoft infrastructure used for its C&C activity.
  • Custom Screenshotter – used for logging screenshots to a file periodically.

Harvester is relatively a new hacking group, which began its operations in June this year. The last activity from the group was spotted recently, this month, attacking organizations in telecommunications, government, and information technology (IT).

Harvester is applauded for several tricky means it uses for deploying the payload and hiding it. It’s found the group is blending C2 for mixing the commands with legitimate network traffic from CloudFront and Microsoft infrastructure.

Further, the custom downloader is seen creating necessary files, adding a registry value for a new load-point, and opening a website (hxxps://usedust[.]com) in the system’s embedded web browser.

All these are made to confuse the victim, as nothing is being drawn from the said website. While researchers are yet to discover the initial vector for Graphon, they warn organizations in South Asia to remain vigilant about this attacks.


Please enter your comment!
Please enter your name here